Become a Fan

September 2012

2012.09.29

Last night’s homework was simple. Read an online article,
list in your notebook 5 words you need to learn the meaning of and make
sentences with each. Simples!

Fifteen minutes passed before I decided to check on the
wailing and crying. What was wrong? Dictonary.com does not have the word “anjacent”!!
And neither does the hardcopy Oxford dictionary! What to do?!

That was a classic example of how important it is to record
information correctly. A lot of time and energy was wasted with a definite
dead-end. Unfortunately this is not limited to children but can be found in
businesses where information is erroneously collected.

People’s names can be the trickiest because without a
standard we can record both the official name and a nickname of someone in
different parts of an information system. This is a recipe for frustration and
time wasting. How do we translate that Bob = Rob = Robert?

A different name can create problems in obvious systems such
as the contacts directory and email but it can also prove to be problematic in
granting access control to IT systems. It might be possible for Bob and Rob to
be working on two different projects with associated access rights while it is
only one person.

This lowers the level of accountability and can waste time correcting
the initial mistaken identity. There should be a policy stating how the company
supports initiatives to maintain data integrity. It will advise staff to consistently
identify themselves.

There are technologies to help with this. Applications can
insist on formats for input, use of ID numbers help, directory services such as
Active Directory and OpenLADP, all which must be supported by strong managerial
vision.

2012.09.22

I lived on a farm in the countryside where we never lockedthe doors. The house was up a 1km track and we were already living where thecrows turn back. Locking the doors seemed a waste of time. Over 2 years therewas never an incident. It was the wind that blew off the roof in a February storm.We had to move for months while it was repaired.

One risk was covered by our knowledge of the area and theother was covered by a contract with the landlord. Keeping all our stuff intactwas very important to us and so was having a warm dry house.

Information Security uses a triad of targets to base all itsefforts when protecting data. The Confidentiality, Integrity and Availabilityof information are the three. Systems are analysed for their ability to providea desired combination for each process within.

Each organisation will decide on the different combinations.Within a business, sub-divisions will have their own versions of thecombinations. The requirements depend on the value of what item is beingprotected and what means are available to lower the risks of not being able tocontinue operating.

There are formulas and frameworks to help with thesedecisions but my farmhouse experience shows they can be judgements made on theground. The common driving factors I believe are the commitment to protectvalue and compliance with the laws and regulations.

The trick as in most things is achieving efficiency inoutcomes. To keep an item safe the protection should be as little as needed andas strong as it should be.

2012.09.15

There is no silver bullet for how best to bake InfoSec into
the behaviour of a company. There will not be much uptake until the benefits of
doing this are clear and the penalties become concrete.

The UK’s Information Commissioner’s Office (ICO) has first
concentrated on government bodies with respect to DPA infringements and fines
but it will also focus on private enterprise when it gets its mechanisms
polished. Your company will want to be in a good place then.

The pace of technology is dictating how quickly the
traditional role of InfoSec can become redundant. Cloud-based solutions for
example allow internal teams to easily adopt a technology without considering
the risks. Why? These offerings are 'plug and play' with very low entry
barriers. If InfoSec remains a high barrier checkpoint, it will be
circumvented. Unfortunately that could lead to a breach and consequential
damage to your company.

InfoSec teams need to restructure their position and
offering within organisations. InfoSec has to secure more leverage for its
function via addition to the development process or continue in the role of
final arbiter with respect to near go-live projects. The first opinion is more
practical.

To accomplish that takes commitment to advertising the
skills and utilities an InfoSec team can offer. Internal blogs are a good place
to start. They are easy to publish and do make an impact when done regularly in
an engaging fashion.

When the content is consistent, interesting and
informative staff appreciate the value of company information, how it is being
protected and what role they can play in keeping data secured.

2012.09.08

Q: Do all employees (permanent staff and staff contracted
from other organisations) all receive information security awareness training?

A: Not all staff receive this training but the keyTechnical
staff do

Ran across this Q&A this week and it led to a thought; we
are struggling to set a place for InfoSec Awareness in the arsenal. If there is
agreement to support such training, there is still the discussion - to whom to
focus it on.

I try to think of Information Security as an eternal endeavour.
Humans have been keeping secrets for competitive advantage for a very long
time. The change in technology is a constant. If there is a group of people
working towards a goal, all should understand the value of the operating information.

If the question above was asked at a large company in the
1920s, will it have been okay to say that the technicians were aware of the
value of the information and not the rest of staff? Organisations receive,
generate, process, store and dispose of information in numerous formats.

InfoSec efforts should be applied at all points where
valuable information and a risk of exposure intersect. The profile and potency
of each effort will depend on choices made by the organisation.

One of the weakest points will be staff members who do not
appreciate what information means to the business. Training those people will
go a long way in increasing the defence of the company’s prime asset, information.